New MnuBot banking trojan uses unusual tricks to hide behind MSSQL Traffic
Security researchers have found a new banking trojan malware named “MnuBot” that acts as a remote access trojan with its creators using a Microsoft SQL server database server as its command-and-control infrastructure. Researchers at IBM X-Force Research discovered the new Delphi-based malware that is primarily targeting Brazilian users.
Analysis of MnuBot revealed that its source code contained encrypted credentials to establish a connection to the remote Microsoft SQL server database which are then decrypted just before initializing the connection to the remote server. This allows the malware to communicate with its C&C server through SQL traffic.
"It is most likely that MnuBot authors wanted to try to evade regular antivirus detection, which is based on the malware traffic," IBM X-Force researcher Jonathan Lusky explained. "To do so, they decided to wrap their malicious network communication using seemingly innocent Microsoft SQL traffic."
The malware’s attack takes place over two stages. The malware first looks for a file called Desk.txt within the AppData Roaming folder and creates one if it doesn’t exist. If it does exist, the malware knows it’s running in the current desktop. If the file is missing, it creates a new one to open a new desktop environment where it operates hidden from the user.
“Within the newly created desktop, MnuBot continually checks the foreground window name,” the researcher notes. “Once it finds a window name that is similar to one of the bank names in its configuration, it will query the server for the second stage executable according to the bank name that was found.”
The second-stage executable is a remote access Trojan that is downloaded as a Neon.exe file and includes social engineering forms for targeted banks to overlay over legitimate ones and steal user data . Some of its key features include dynamic configuration that lets the attackers flexibly change MnuBot’s malicious activities at any time. It also includes RAT capabilities giving attackers the ability to gain full control over an infected machine.
Other malicious capabilities activities at the attackers’ disposal include capturing browser and desktop screenshots, key logging, simulating user clicks and keystrokes, restarting the PC and uninstalling applications.
"MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains,” researchers note. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today."